Bro Index Template

1. curl -XPUT localhost:9200/_template/fixstrings_bro -d '{
2. "template": "bro-*",
3. "mappings": {
4. "http": {
5. "properties": {
6. "host": {
7. "type": "string",
8. "index": "not_analyzed"
9. },
10. "id.orig_h": {
11. "type": "string",
12. "index": "not_analyzed"
13. },
14. "id.orig_p": {
15. "type": "long"
16. },
17. "id.resp_h": {
18. "type": "string",
19. "index": "not_analyzed"
20. },
21. "id.resp_p": {
22. "type": "long"
23. },
24. "method": {
25. "type": "string",
26. "index": "not_analyzed"
27. },
28. "orig_fuids": {
29. "type": "string",
30. "index": "not_analyzed"
31. },
32. "orig_mime_types": {
33. "type": "string",
34. "index": "not_analyzed"
35. },
36. "referrer": {
37. "type": "string",
38. "index": "not_analyzed"
39. },
40. "request_body_len": {
41. "type": "long"
42. },
43. "resp_fuids": {
44. "type": "string",
45. "index": "not_analyzed"
46. },
47. "resp_mime_types": {
48. "type": "string",
49. "index": "not_analyzed"
50. },
51. "response_body_len": {
52. "type": "long"
53. },
54. "status_code": {
55. "type": "long"
56. },
57. "status_msg": {
58. "type": "string",
59. "index": "not_analyzed"
60. },
61. "tags": {
62. "type": "string",
63. "index": "not_analyzed"
64. },
65. "trans_depth": {
66. "type": "long"
67. },
68. "ts": {
69. "type": "long"
70. },
71. "uid": {
72. "type": "string",
73. "index": "not_analyzed"
74. },
75. "uri": {
76. "type": "string",
77. "index": "not_analyzed"
78. },
79. "user_agent": {
80. "type": "string",
81. "index": "not_analyzed"
82. }
83. }
84. },
85. "known_hosts": {
86. "properties": {
87. "host": {
88. "type": "string",
89. "index": "not_analyzed"
90. },
91. "ts": {
92. "type": "long"
93. }
94. }
95. },
96. "known_services": {
97. "properties": {
98. "host": {
99. "type": "string",
100. "index": "not_analyzed"
101. },
102. "port_num": {
103. "type": "long"
104. },
105. "port_proto": {
106. "type": "string",
107. "index": "not_analyzed"
108. },
109. "service": {
110. "type": "string",
111. "index": "not_analyzed"
112. },
113. "ts": {
114. "type": "long"
115. }
116. }
117. },
118. "dpd": {
119. "properties": {
120. "analyzer": {
121. "type": "string",
122. "index": "not_analyzed"
123. },
124. "failure_reason": {
125. "type": "string",
126. "index": "not_analyzed"
127. },
128. "id.orig_h": {
129. "type": "string",
130. "index": "not_analyzed"
131. },
132. "id.orig_p": {
133. "type": "long"
134. },
135. "id.resp_h": {
136. "type": "string",
137. "index": "not_analyzed"
138. },
139. "id.resp_p": {
140. "type": "long"
141. },
142. "proto": {
143. "type": "string",
144. "index": "not_analyzed"
145. },
146. "ts": {
147. "type": "long"
148. },
149. "uid": {
150. "type": "string",
151. "index": "not_analyzed"
152. }
153. }
154. },
155. "weird": {
156. "properties": {
157. "id.orig_h": {
158. "type": "string",
159. "index": "not_analyzed"
160. },
161. "id.orig_p": {
162. "type": "long"
163. },
164. "id.resp_h": {
165. "type": "string",
166. "index": "not_analyzed"
167. },
168. "id.resp_p": {
169. "type": "long"
170. },
171. "name": {
172. "type": "string",
173. "index": "not_analyzed"
174. },
175. "notice": {
176. "type": "boolean"
177. },
178. "peer": {
179. "type": "string",
180. "index": "not_analyzed"
181. },
182. "ts": {
183. "type": "long"
184. },
185. "uid": {
186. "type": "string",
187. "index": "not_analyzed"
188. }
189. }
190. },
191. "smtp": {
192. "properties": {
193. "helo": {
194. "type": "string",
195. "index": "not_analyzed"
196. },
197. "id.orig_h": {
198. "type": "string",
199. "index": "not_analyzed"
200. },
201. "id.orig_p": {
202. "type": "long"
203. },
204. "id.resp_h": {
205. "type": "string",
206. "index": "not_analyzed"
207. },
208. "id.resp_p": {
209. "type": "long"
210. },
211. "is_webmail": {
212. "type": "boolean"
213. },
214. "last_reply": {
215. "type": "string",
216. "index": "not_analyzed"
217. },
218. "path": {
219. "type": "string",
220. "index": "not_analyzed"
221. },
222. "tls": {
223. "type": "boolean"
224. },
225. "trans_depth": {
226. "type": "long"
227. },
228. "ts": {
229. "type": "long"
230. },
231. "uid": {
232. "type": "string",
233. "index": "not_analyzed"
234. }
235. }
236. },
237. "ssl": {
238. "properties": {
239. "cert_chain_fuids": {
240. "type": "string",
241. "index": "not_analyzed"
242. },
243. "cipher": {
244. "type": "string",
245. "index": "not_analyzed"
246. },
247. "curve": {
248. "type": "string",
249. "index": "not_analyzed"
250. },
251. "established": {
252. "type": "boolean"
253. },
254. "id.orig_h": {
255. "type": "string",
256. "index": "not_analyzed"
257. },
258. "id.orig_p": {
259. "type": "long"
260. },
261. "id.resp_h": {
262. "type": "string",
263. "index": "not_analyzed"
264. },
265. "id.resp_p": {
266. "type": "long"
267. },
268. "issuer": {
269. "type": "string",
270. "index": "not_analyzed"
271. },
272. "next_protocol": {
273. "type": "string",
274. "index": "not_analyzed"
275. },
276. "resumed": {
277. "type": "boolean"
278. },
279. "server_name": {
280. "type": "string",
281. "index": "not_analyzed"
282. },
283. "subject": {
284. "type": "string",
285. "index": "not_analyzed"
286. },
287. "ts": {
288. "type": "long"
289. },
290. "uid": {
291. "type": "string",
292. "index": "not_analyzed"
293. },
294. "validation_status": {
295. "type": "string",
296. "index": "not_analyzed"
297. },
298. "version": {
299. "type": "string",
300. "index": "not_analyzed"
301. }
302. }
303. },
304. "dns": {
305. "properties": {
306. "AA": {
307. "type": "boolean"
308. },
309. "RA": {
310. "type": "boolean"
311. },
312. "RD": {
313. "type": "boolean"
314. },
315. "TC": {
316. "type": "boolean"
317. },
318. "Z": {
319. "type": "long"
320. },
321. "id.orig_h": {
322. "type": "string",
323. "index": "not_analyzed"
324. },
325. "id.orig_p": {
326. "type": "long"
327. },
328. "id.resp_h": {
329. "type": "string",
330. "index": "not_analyzed"
331. },
332. "id.resp_p": {
333. "type": "long"
334. },
335. "proto": {
336. "type": "string",
337. "index": "not_analyzed"
338. },
339. "qclass": {
340. "type": "long"
341. },
342. "qclass_name": {
343. "type": "string",
344. "index": "not_analyzed"
345. },
346. "qtype": {
347. "type": "long"
348. },
349. "qtype_name": {
350. "type": "string",
351. "index": "not_analyzed"
352. },
353. "query": {
354. "type": "string",
355. "index": "not_analyzed"
356. },
357. "rcode": {
358. "type": "long"
359. },
360. "rcode_name": {
361. "type": "string",
362. "index": "not_analyzed"
363. },
364. "rejected": {
365. "type": "boolean"
366. },
367. "trans_id": {
368. "type": "long"
369. },
370. "ts": {
371. "type": "long"
372. },
373. "uid": {
374. "type": "string",
375. "index": "not_analyzed"
376. }
377. }
378. },
379. "snmp": {
380. "properties": {
381. "community": {
382. "type": "string",
383. "index": "not_analyzed"
384. },
385. "duration": {
386. "type": "double"
387. },
388. "get_bulk_requests": {
389. "type": "long"
390. },
391. "get_requests": {
392. "type": "long"
393. },
394. "get_responses": {
395. "type": "long"
396. },
397. "id.orig_h": {
398. "type": "string",
399. "index": "not_analyzed"
400. },
401. "id.orig_p": {
402. "type": "long"
403. },
404. "id.resp_h": {
405. "type": "string",
406. "index": "not_analyzed"
407. },
408. "id.resp_p": {
409. "type": "long"
410. },
411. "set_requests": {
412. "type": "long"
413. },
414. "ts": {
415. "type": "long"
416. },
417. "uid": {
418. "type": "string",
419. "index": "not_analyzed"
420. },
421. "version": {
422. "type": "string",
423. "index": "not_analyzed"
424. }
425. }
426. },
427. "x509": {
428. "properties": {
429. "basic_constraints.ca": {
430. "type": "boolean"
431. },
432. "basic_constraints.path_len": {
433. "type": "long"
434. },
435. "certificate.exponent": {
436. "type": "string",
437. "index": "not_analyzed"
438. },
439. "certificate.issuer": {
440. "type": "string",
441. "index": "not_analyzed"
442. },
443. "certificate.key_alg": {
444. "type": "string",
445. "index": "not_analyzed"
446. },
447. "certificate.key_length": {
448. "type": "long"
449. },
450. "certificate.key_type": {
451. "type": "string",
452. "index": "not_analyzed"
453. },
454. "certificate.not_valid_after": {
455. "type": "long"
456. },
457. "certificate.not_valid_before": {
458. "type": "long"
459. },
460. "certificate.serial": {
461. "type": "string",
462. "index": "not_analyzed"
463. },
464. "certificate.sig_alg": {
465. "type": "string",
466. "index": "not_analyzed"
467. },
468. "certificate.subject": {
469. "type": "string",
470. "index": "not_analyzed"
471. },
472. "certificate.version": {
473. "type": "long"
474. },
475. "id": {
476. "type": "string",
477. "index": "not_analyzed"
478. },
479. "san.dns": {
480. "type": "string",
481. "index": "not_analyzed"
482. },
483. "ts": {
484. "type": "long"
485. }
486. }
487. },
488. "sip": {
489. "properties": {
490. "call_id": {
491. "type": "string",
492. "index": "not_analyzed"
493. },
494. "id.orig_h": {
495. "type": "string",
496. "index": "not_analyzed"
497. },
498. "id.orig_p": {
499. "type": "long"
500. },
501. "id.resp_h": {
502. "type": "string",
503. "index": "not_analyzed"
504. },
505. "id.resp_p": {
506. "type": "long"
507. },
508. "method": {
509. "type": "string",
510. "index": "not_analyzed"
511. },
512. "request_body_len": {
513. "type": "string",
514. "index": "not_analyzed"
515. },
516. "request_from": {
517. "type": "string",
518. "index": "not_analyzed"
519. },
520. "request_path": {
521. "type": "string",
522. "index": "not_analyzed"
523. },
524. "request_to": {
525. "type": "string",
526. "index": "not_analyzed"
527. },
528. "seq": {
529. "type": "string",
530. "index": "not_analyzed"
531. },
532. "trans_depth": {
533. "type": "long"
534. },
535. "ts": {
536. "type": "long"
537. },
538. "uid": {
539. "type": "string",
540. "index": "not_analyzed"
541. },
542. "uri": {
543. "type": "string",
544. "index": "not_analyzed"
545. },
546. "user_agent": {
547. "type": "string",
548. "index": "not_analyzed"
549. }
550. }
551. },
552. "notice": {
553. "properties": {
554. "actions": {
555. "type": "string",
556. "index": "not_analyzed"
557. },
558. "dropped": {
559. "type": "boolean"
560. },
561. "dst": {
562. "type": "string",
563. "index": "not_analyzed"
564. },
565. "id.orig_h": {
566. "type": "string",
567. "index": "not_analyzed"
568. },
569. "id.orig_p": {
570. "type": "long"
571. },
572. "id.resp_h": {
573. "type": "string",
574. "index": "not_analyzed"
575. },
576. "id.resp_p": {
577. "type": "long"
578. },
579. "msg": {
580. "type": "string",
581. "index": "not_analyzed"
582. },
583. "note": {
584. "type": "string",
585. "index": "not_analyzed"
586. },
587. "p": {
588. "type": "long"
589. },
590. "peer_descr": {
591. "type": "string",
592. "index": "not_analyzed"
593. },
594. "proto": {
595. "type": "string",
596. "index": "not_analyzed"
597. },
598. "src": {
599. "type": "string",
600. "index": "not_analyzed"
601. },
602. "sub": {
603. "type": "string",
604. "index": "not_analyzed"
605. },
606. "suppress_for": {
607. "type": "double"
608. },
609. "ts": {
610. "type": "long"
611. },
612. "uid": {
613. "type": "string",
614. "index": "not_analyzed"
615. }
616. }
617. },
618. "files": {
619. "properties": {
620. "analyzers": {
621. "type": "string",
622. "index": "not_analyzed"
623. },
624. "conn_uids": {
625. "type": "string",
626. "index": "not_analyzed"
627. },
628. "depth": {
629. "type": "long"
630. },
631. "duration": {
632. "type": "double"
633. },
634. "filename": {
635. "type": "string",
636. "index": "not_analyzed"
637. },
638. "fuid": {
639. "type": "string",
640. "index": "not_analyzed"
641. },
642. "is_orig": {
643. "type": "boolean"
644. },
645. "local_orig": {
646. "type": "boolean"
647. },
648. "md5": {
649. "type": "string",
650. "index": "not_analyzed"
651. },
652. "mime_type": {
653. "type": "string",
654. "index": "not_analyzed"
655. },
656. "missing_bytes": {
657. "type": "long"
658. },
659. "overflow_bytes": {
660. "type": "long"
661. },
662. "rx_hosts": {
663. "type": "string",
664. "index": "not_analyzed"
665. },
666. "seen_bytes": {
667. "type": "long"
668. },
669. "sha1": {
670. "type": "string",
671. "index": "not_analyzed"
672. },
673. "source": {
674. "type": "string",
675. "index": "not_analyzed"
676. },
677. "timedout": {
678. "type": "boolean"
679. },
680. "total_bytes": {
681. "type": "long"
682. },
683. "ts": {
684. "type": "long"
685. },
686. "tx_hosts": {
687. "type": "string",
688. "index": "not_analyzed"
689. }
690. }
691. },
692. "intel": {
693. "properties": {
694. "id.orig_h": {
695. "type": "string",
696. "index": "not_analyzed"
697. },
698. "id.orig_p": {
699. "type": "long"
700. },
701. "id.resp_h": {
702. "type": "string",
703. "index": "not_analyzed"
704. },
705. "id.resp_p": {
706. "type": "long"
707. },
708. "seen.indicator": {
709. "type": "string",
710. "index": "not_analyzed"
711. },
712. "seen.indicator_type": {
713. "type": "string",
714. "index": "not_analyzed"
715. },
716. "seen.node": {
717. "type": "string",
718. "index": "not_analyzed"
719. },
720. "seen.where": {
721. "type": "string",
722. "index": "not_analyzed"
723. },
724. "sources": {
725. "type": "string",
726. "index": "not_analyzed"
727. },
728. "ts": {
729. "type": "long"
730. },
731. "uid": {
732. "type": "string",
733. "index": "not_analyzed"
734. }
735. }
736. },
737. "software": {
738. "properties": {
739. "host": {
740. "type": "string",
741. "index": "not_analyzed"
742. },
743. "name": {
744. "type": "string",
745. "index": "not_analyzed"
746. },
747. "software_type": {
748. "type": "string",
749. "index": "not_analyzed"
750. },
751. "ts": {
752. "type": "long"
753. },
754. "unparsed_version": {
755. "type": "string",
756. "index": "not_analyzed"
757. },
758. "version.addl": {
759. "type": "string",
760. "index": "not_analyzed"
761. },
762. "version.major": {
763. "type": "long"
764. },
765. "version.minor": {
766. "type": "long"
767. },
768. "version.minor2": {
769. "type": "long"
770. },
771. "version.minor3": {
772. "type": "long"
773. }
774. }
775. },
776. "conn": {
777. "properties": {
778. "conn_state": {
779. "type": "string",
780. "index": "not_analyzed"
781. },
782. "duration": {
783. "type": "double"
784. },
785. "history": {
786. "type": "string",
787. "index": "not_analyzed"
788. },
789. "id.orig_h": {
790. "type": "string",
791. "index": "not_analyzed"
792. },
793. "id.orig_p": {
794. "type": "long"
795. },
796. "id.resp_h": {
797. "type": "string",
798. "index": "not_analyzed"
799. },
800. "id.resp_p": {
801. "type": "long"
802. },
803. "local_orig": {
804. "type": "boolean"
805. },
806. "local_resp": {
807. "type": "boolean"
808. },
809. "missed_bytes": {
810. "type": "long"
811. },
812. "orig_bytes": {
813. "type": "long"
814. },
815. "orig_ip_bytes": {
816. "type": "long"
817. },
818. "orig_pkts": {
819. "type": "long"
820. },
821. "proto": {
822. "type": "string",
823. "index": "not_analyzed"
824. },
825. "resp_bytes": {
826. "type": "long"
827. },
828. "resp_ip_bytes": {
829. "type": "long"
830. },
831. "resp_pkts": {
832. "type": "long"
833. },
834. "service": {
835. "type": "string",
836. "index": "not_analyzed"
837. },
838. "ts": {
839. "type": "long"
840. },
841. "uid": {
842. "type": "string",
843. "index": "not_analyzed"
844. }
845. }
846. },
847. "app_stats": {
848. "properties": {
849. "app": {
850. "type": "string",
851. "index": "not_analyzed"
852. },
853. "bytes": {
854. "type": "long"
855. },
856. "hits": {
857. "type": "long"
858. },
859. "ts": {
860. "type": "long"
861. },
862. "ts_delta": {
863. "type": "double"
864. },
865. "uniq_hosts": {
866. "type": "long"
867. }
868. }
869. }
870. }
871. }'